# in a single service process, or 0 for no limit.
MaxConcurrentRequests: 64
+ # Maximum number of incoming requests to hold in a priority
+ # queue waiting for one of the MaxConcurrentRequests slots to be
+ # free. When the queue is longer than this, respond 503 to the
+ # lowest priority request.
+ #
+ # If MaxQueuedRequests is 0, respond 503 immediately to
+ # additional requests while at the MaxConcurrentRequests limit.
+ MaxQueuedRequests: 64
+
+ # Maximum time a "lock container" request is allowed to wait in
+ # the incoming request queue before returning 503.
+ MaxQueueTimeForLockRequests: 2s
+
# Fraction of MaxConcurrentRequests that can be "log create"
# messages at any given time. This is to prevent logging
# updates from crowding out more important requests.
# Use 0 to disable activity logging.
ActivityLoggingPeriod: 24h
+ # The SyncUser* options control what system resources are managed by
+ # arvados-login-sync on shell nodes. They correspond to:
+ # * SyncUserAccounts: The user's Unix account on the shell node
+ # * SyncUserGroups: The group memberships of that account
+ # * SyncUserSSHKeys: Whether to authorize the user's Arvados SSH keys
+ # * SyncUserAPITokens: Whether to set up the user's Arvados API token
+ # All default to true.
+ SyncUserAccounts: true
+ SyncUserGroups: true
+ SyncUserSSHKeys: true
+ SyncUserAPITokens: true
+
+ # If SyncUserGroups=true, then arvados-login-sync will ensure that all
+ # managed accounts are members of the Unix groups listed in
+ # SyncRequiredGroups, in addition to any groups listed in their Arvados
+ # login permission. The default list includes the "fuse" group so
+ # users can use arv-mount. You can require no groups by specifying an
+ # empty list (i.e., `SyncRequiredGroups: []`).
+ SyncRequiredGroups:
+ - fuse
+
+ # SyncIgnoredGroups is a list of group names. arvados-login-sync will
+ # never modify these groups. If user login permissions list any groups
+ # in SyncIgnoredGroups, they will be ignored. If a user's Unix account
+ # belongs to any of these groups, arvados-login-sync will not remove
+ # the account from that group. The default is a set of particularly
+ # security-sensitive groups across Debian- and Red Hat-based
+ # distributions.
+ SyncIgnoredGroups:
+ - adm
+ - disk
+ - kmem
+ - mem
+ - root
+ - shadow
+ - staff
+ - sudo
+ - sys
+ - utempter
+ - utmp
+ - wheel
+
AuditLogs:
# Time to keep audit logs, in seconds. (An audit log is a row added
# to the "logs" table in the PostgreSQL database each time an